Odd traffic behavior of statically entered mac addresses over cisco 3750 vlans

Question

At my workplace we use cisco switches to a implement a custom traffic delivery mechanism at layer 2. Custom software puts specific destination macs on ethernet frames and vlans segregate the traffic to different locations while static mac-address table entries are made to direct it to specific ports. The whole delivery system is fairly static so it works reasonably well for us. I didn't create it, but I understand it reasonably well.

Now I'm trying to understand it just a bit better as I see some odd behavior by the switches. I have two ports:

gi1/10
switchport mode access vlan 10

gi1/20
switchport mode trunk
switchport trunk allowed vlan 10-13

and two user-entered mac address table rows:

mac-address-table static 0101.0000.0101 vlan 10 interface gi1/10
mac-address-table static 0101.0000.0000 vlan 13 interface gi1/20

The ports are configured differently to evaluate the difference in techniques.

I have two Linux hosts, one each connected to the above ports. Each is configured the same with four subinterfaces:

eth1.10, eth1.11, eth1.12, and eth1.13.  

There is no IP address on the main interface or any subinterface. I have two traffic sources sending traffic. Each sends ethernet frames with BOTH destination mac addresses, but one traffic source is on vlan 10 and the other is on vlan 13.

On host 1, the host connected to port 1/10, I see no traffic when I sniff eth1.10,11,12, or 13, but do see traffic when I run 'tcpdump -i eth1'. This makes sense to me as those subinterfaces would only be expecting traffic tagged with VLAN appropriate VLAN ID (10,11,12, or 13) and this switchport is configured for access. Have I interpreted this correctly?

The curious thing is that host 1's tcpdump output ALSO shows the other mac, even though the static entry clearly says to only send the one type of traffic out the port. How is that possible?

The situation is equally strange on host 2 (the one connected to the trunking port). He sees only one mac address (the proper one), but he sees it on both eth1.10 AND eth1.13. Now I'm just confused. How is that possible, even though both vlans have both destination macs? Shouldn't the mac-address-table limit that to just what's entered there?

Answer 1

I determined my problem for those interested. A third traffic source was incorrectly configured to send to 0101.0000.0000, but on vlan 10. Since that mac was not known for vlan 10, it was broadcast to all interfaces belonging to that vlan, which is why I see the mac on the linux host connected to that interface.

This also explains why I see that mac on both vlan 10 and 13 on the other host. It was trunked out both vlans and seen by the linux host on each one.

Answer 2

Your interpretation of g1/10 is correct. A 'mode access' port will not send any packets with vlan tags.

Are those mac addresses you show actually what you're using? The multicast bit is set (the first (leftmost) 01 is the multicast bit) which probably explains why you are seeing those packets on multiple ports.